Repository files navigation

Terraform module to provision public and privatesubnets in an existingVPC

Note: This module is intended for use with an existing VPC and existing Internet Gateway.To create a new VPC, useterraform-aws-vpc module.

Note: Due to Terraformlimitations,many optional inputs to this module are specified as alist(string) that can have zero or one element, rather thanas astring that could be empty ornull. The designation of an input as alist type does not necessarilymean that you can supply more than one value in the list, so check the input's description before supplying more than one value.

The core function of this module is to create 2 sets of subnets, a "public" set with bidirectional access to thepublic internet, and a "private" set behind a firewall with egress-only access to the public internet. Thisincludes dividing up a given CIDR range so that a each subnet gets its owndistinct CIDR range within that range, and then creating those subnets in the appropriate availability zones.The intention is to keep this module relatively simple and easy to use for the most popular use cases.In its default configuration, this module creates 1 public subnet and 1 private subnet in eachof the specified availability zones. The public subnets are configured for bi-directional traffic to thepublic internet, while the private subnets are configured for egress-only traffic to the public internet.

The module supports creating different numbers of public and private subnets per availability zone. This is usefulfor common architectures where you need a single public subnet for load balancers but multiple private subnetsfor different application tiers (web, app, data). You can specify the number and names of public and privatesubnets independently usingpublic_subnets_per_az_count/public_subnets_per_az_names andprivate_subnets_per_az_count/private_subnets_per_az_names variables.

Rather than provide a wealth of configuration options allowing for numerous special cases, this moduleprovides some common options and further provides the ability to suppress the creation of resources, allowingyou to create and configure them as you like from outside this module. For example, rather than give you theoption to customize the Network ACL, the module gives you the option to create a completely open one (and controlaccess via Security Groups and other means) or not create one at all, allowing you to create and configure one yourself.

This module defines a public subnet as one that has direct access to an internet gateway and can accept incoming connection requests.In the simplest configuration, the module creates a single route table with a default route targeted to theVPC's internet gateway, and associates all the public subnets with that single route table.

Likewise it creates a single Network ACL with associated rules allowing all ingress and all egress,and associates that ACL with all the public subnets.

A private subnet may be able to initiate traffic to the public internet through a NAT gateway,a NAT instance, or an egress-only internet gateway, or it might only have direct access to otherprivate subnets. In the simple configuration, for IPv4 and/or IPv6 with NAT64 enabled viapublic_dns64_enabledorprivate_dns64_enabled, the module creates 1 NAT Gateway or NAT Instance for eachprivate subnet (in the public subnet in the same availability zone), creates 1 route table for each private subnet,and adds to that route table a default route from the subnet to its NAT Gateway or Instance. For IPv6,the module adds a route to the Egress-Only Internet Gateway configured via input.

As with the Public subnets, the module creates a single Network ACL with associated rules allowing all ingress andall egress, and associates that ACL with all the private subnets.

Various features are controlled bybool inputs with names ending in_enabled. By changing the defaultvalues, you can enable or disable creation of public subnets, private subnets, route tables,NAT gateways, NAT instances, or Network ACLs. So for example, you could use this module to create onlyprivate subnets and the open Network ACL, and then add your own route table associations to the subnetsand route all non-local traffic to a Transit Gateway or VPN.

For IPv4, you provide a CIDR and the module divides the address space into the largest CIDRs possible that are stillsmall enough to accommodatemax_subnet_count subnets of each enabled type (public or private). Whenmax_subnet_countis left at the default0, it is set to the total number of availability zones in the region. Private subnetsare allocated out of the first half of the reserved range, and public subnets are allocated out of the second half.

For IPv6, you provide a/56 CIDR and the module assigns/64 subnets of that CIDR in consecutive order startingat zero. (You have the option of specifying a list of CIDRs instead.) As with IPv4, enough CIDRs are allocated tocovermax_subnet_count private and public subnets (when both are enabled, which is the default), with the privatesubnets being allocated out of the lower half of the reservation and the public subnets allocated out of the upper half.

This module supports various deployment modes through flexible configuration variables. Understanding these optionsallows you to tailor the subnet architecture to your specific use case.

availability_zones - Explicitly specify which AZs to use:

• Provide a list of AZ names (e.g.,["us-east-1a", "us-east-1b", "us-east-1c"])
• The list ordermust be stable - do not reorder or Terraform will recreate subnets
• If empty, the module uses all available AZs in the region (sorted alphabetically)
• Can be truncated bymax_subnet_count if you specify more AZs than the limit

availability_zone_ids - Use AZ IDs instead of names:

• Provide a list of AZ IDs (e.g.,["use1-az1", "use1-az2"])
• Overridesavailability_zones when set
• Useful for multi-account consistency (AZ names like "us-east-1a" map to different physical locations across accounts, but AZ IDs are consistent)
• The module automatically translates IDs to names for resource creation

max_subnet_count - Controls CIDR reservation for future growth:

• Default:0 (reserves CIDRs for all AZs in the region)
• Recommended: Set to3 or the maximum number of AZs you anticipate using
• The module reserves CIDR space for this many subnets ofeach type (public and private)
• Example: If a region has 4 AZs but you setmax_subnet_count = 3, only 3 subnets will be created, but you can later expand to the 4th without changing existing subnet CIDRs
• Important: This must be a constant value, not computed, due to Terraform limitations

subnets_per_az_count - Create multiple subnets of each type per AZ:

• Default:1 (one public and one private subnet per AZ)
• Set to2 or higher to create multiple subnets per AZ
• Creates thesame number of public and private subnets
• Useful for segmenting workloads within the same AZ (e.g., separate subnets for web tier, app tier, data tier)
• Each subnet gets its own CIDR from the allocated range
• Works withsubnets_per_az_names for organized outputs

subnets_per_az_names - Assign names to subnets for better organization:

• Default:["common"]
• Provide a list of names matchingsubnets_per_az_count (e.g.,["web", "app", "data"])
• Names are used as keys in thenamed_private_subnets_map andnamed_public_subnets_map outputs
• Makes it easy to reference specific subnet groups in other modules
• Example:module.subnets.named_private_subnets_map["web"] returns all web-tier private subnet IDs

public_subnets_per_az_count - Set a different number of public subnets per AZ:

• Default:null (usessubnets_per_az_count for backward compatibility)
• Set this when you need a different number of public vs private subnets
• Common pattern: Set to1 for a single public subnet (for load balancers) while having multiple private subnets
• Must be greater than 0 if specified
• Works independently fromprivate_subnets_per_az_count

public_subnets_per_az_names - Assign names specifically to public subnets:

• Default:null (usessubnets_per_az_names for backward compatibility)
• Provide a list of names matchingpublic_subnets_per_az_count
• Names are used as keys in thenamed_public_subnets_map output
• Example:["public-lb"] for a single load balancer subnet per AZ

private_subnets_per_az_count - Set a different number of private subnets per AZ:

• Default:null (usessubnets_per_az_count for backward compatibility)
• Set this when you need a different number of private vs public subnets
• Common pattern: Set to3 for multi-tier architecture (web, app, data) while having only 1 public subnet
• Must be greater than 0 if specified
• Works independently frompublic_subnets_per_az_count

private_subnets_per_az_names - Assign names specifically to private subnets:

• Default:null (usessubnets_per_az_names for backward compatibility)
• Provide a list of names matchingprivate_subnets_per_az_count
• Names are used as keys in thenamed_private_subnets_map output
• Example:["web", "app", "data"] for a three-tier architecture

public_subnets_enabled - Enable/disable public subnet creation:

• Default:true
• Set tofalse to create only private subnets
• When disabled, NAT Gateways/Instances are also disabled (since they require public subnets)
• Use case: Internal-only VPCs that route through Transit Gateway or VPN

private_subnets_enabled - Enable/disable private subnet creation:

• Default:true
• Set tofalse to create only public subnets
• When disabled, NAT Gateways/Instances are also disabled (since private subnets don't need them)
• Use case: DMZ or edge VPCs with only internet-facing resources

max_nats - Limit the number of NAT devices for cost savings:

• Default:999 (creates one NAT per AZ for high availability)
• Set to1 for cost savings (single NAT, reduced availability)
• Set to2 for balance between cost and availability (two NATs across AZs)
• Cost impact: Each NAT Gateway costs ~$32/month plus data transfer fees
• Availability impact: If the NAT fails (or its AZ fails), private subnets lose internet access
• The module distributes NAT devices across the first N availability zones
• Example: With 3 AZs andmax_nats = 1, only the first AZ gets a NAT Gateway

nat_gateway_public_subnet_indices - Control which public subnet gets the NAT Gateway (by index):

• Default:[0] (place NAT in the first public subnet of each AZ)
• When you have multiple public subnets per AZ, this determines which one hosts the NAT Gateway
• NAT Gateways are shared - one NAT per AZ serves all private subnets in that AZ
• Important: Each subnet index must be less thanpublic_subnets_per_az_count
• Example: Withpublic_subnets_per_az_count = 2 andnat_gateway_public_subnet_indices = [0], the NAT goes in the first public subnet
• Advanced: Set to[0, 1] to create redundant NATs within each AZ (rarely needed, increases cost)
• Cannot be used withnat_gateway_public_subnet_names (choose indices OR names, not both)

nat_gateway_public_subnet_names - Control which public subnet gets the NAT Gateway (by name):

• Default:null (usesnat_gateway_public_subnet_indices instead)
• More intuitive alternative to using indices - specify subnets by name
• References the names frompublic_subnets_per_az_names
• Example:["loadbalancer"] places NAT in the "loadbalancer" subnet
• Example:["loadbalancer", "web"] creates 2 NATs per AZ in both named subnets (expensive)
• Cannot be used withnat_gateway_public_subnet_indices (choose indices OR names, not both)
• Recommended approach for clarity and maintainability

Standard HA deployment (default):

# 1 public + 1 private subnet per AZ, with NAT Gateway per AZpublic_subnets_enabled=trueprivate_subnets_enabled=truemax_subnet_count=3# Reserve space for 3 AZsmax_nats=999# One NAT per AZ

Cost-optimized deployment:

# Single NAT Gateway shared across all private subnetsmax_nats=1# Everything else default

Private-only with Transit Gateway:

# Private subnets only, routing through TGWpublic_subnets_enabled=falseprivate_subnets_enabled=truenat_gateway_enabled=false# Add custom routes to TGW externally

Public-only (DMZ) deployment:

# Public subnets only for internet-facing resourcespublic_subnets_enabled=trueprivate_subnets_enabled=false

Multi-tier architecture per AZ (legacy approach - same number of public and private):

# 3 private AND 3 public subnets per AZ (web, app, data)subnets_per_az_count=3subnets_per_az_names=["web","app","data"]# Access subnets via: named_private_subnets_map["web"]

Multi-tier with separate public/private counts (recommended):

# 1 public subnet per AZ for load balancers# 3 private subnets per AZ for web, app, and data tierspublic_subnets_per_az_count=1public_subnets_per_az_names=["public-lb"]private_subnets_per_az_count=3private_subnets_per_az_names=["web","app","data"]# NAT Gateway automatically goes in the first (and only) public subnet# Can omit nat_gateway config since there's only one public subnet# Access subnets via:#   named_public_subnets_map["public-lb"]#   named_private_subnets_map["web"]#   named_private_subnets_map["app"]#   named_private_subnets_map["data"]

Multiple public subnets with controlled NAT placement:

# 2 public subnets per AZ: one for ALB, one for bastion hosts# Place NAT Gateway in the ALB subnetpublic_subnets_per_az_count=2public_subnets_per_az_names=["alb","bastion"]# OPTION 1: Use subnet name (recommended - more readable)nat_gateway_public_subnet_names=["alb"]# OPTION 2: Use subnet index (alternative)# nat_gateway_public_subnet_indices = [0]  # 0 = first subnet = "alb"# Result: 1 NAT per AZ in the "alb" subnet, shared by all private subnets

Multiple private + multiple public with one NAT in specific subnet:

# Real-world example: Database, app tiers + load balancer and web frontends# 3 private subnets per AZ (database, app1, app2)# 2 public subnets per AZ (loadbalancer, web)# 1 NAT Gateway per AZ in the "loadbalancer" subnetavailability_zones=["us-east-1a","us-east-1b","us-east-1c"]private_subnets_per_az_count=3private_subnets_per_az_names=["database","app1","app2"]public_subnets_per_az_count=2public_subnets_per_az_names=["loadbalancer","web"]# Place NAT Gateway in the "loadbalancer" subnet (by name)nat_gateway_public_subnet_names=["loadbalancer"]# Result per AZ:# - 3 private subnets: database, app1, app2# - 2 public subnets: loadbalancer, web# - 1 NAT Gateway in "loadbalancer" subnet# - All 3 private subnets route to the same NAT# Total: 3 NAT Gateways (one per AZ) = ~$96/month

Multiple private + multiple public with NAT in EACH public subnet (high availability):

# Advanced: Redundant NAT Gateways within each AZ for maximum availability# 3 private subnets per AZ (database, app1, app2)# 2 public subnets per AZ (loadbalancer, web)# 2 NAT Gateways per AZ (one in each public subnet)availability_zones=["us-east-1a","us-east-1b","us-east-1c"]private_subnets_per_az_count=3private_subnets_per_az_names=["database","app1","app2"]public_subnets_per_az_count=2public_subnets_per_az_names=["loadbalancer","web"]# Place NAT Gateways in BOTH public subnets (by name)nat_gateway_public_subnet_names=["loadbalancer","web"]# Alternative using indices:# nat_gateway_public_subnet_indices = [0, 1]# Result per AZ:# - 3 private subnets: database, app1, app2# - 2 public subnets: loadbalancer, web# - 2 NAT Gateways: one in "loadbalancer", one in "web"# - Private subnets distributed across NATs:#   - "database" → NAT in "loadbalancer"#   - "app1" → NAT in "web"#   - "app2" → NAT in "loadbalancer"# Total: 6 NAT Gateways (2 per AZ × 3 AZs) = ~$192/month# WARNING: This is expensive. Use only if you need intra-AZ NAT redundancy.

The module exposes NAT Gateway IDs in the subnet stats outputs, enabling downstream components like networkfirewalls to reference the NAT Gateways associated with each subnet.

named_private_subnets_stats_map - Each private subnet includes the NAT Gateway ID it routes to:

# Output structure (4 fields per subnet):named_private_subnets_stats_map={"database"= [    {      az="us-east-2a"      subnet_id="subnet-abc123"      route_table_id="rtb-def456"      nat_gateway_id="nat-xyz789"# NAT Gateway this subnet routes to for egress    },# ... one entry per AZ  ]"app1"= [... ]"app2"= [... ]}

named_public_subnets_stats_map - Each public subnet includes the NAT Gateway ID if one exists in that subnet:

# Output structure (4 fields per subnet):named_public_subnets_stats_map={"loadbalancer"= [    {      az="us-east-2a"      subnet_id="subnet-ghi789"      route_table_id="rtb-jkl012"      nat_gateway_id="nat-xyz789"# NAT Gateway in this public subnet (if any)    },# ... one entry per AZ  ]"web"= [... ]}

Use case example - Network firewall routing:

# Reference NAT Gateway IDs from subnet statslocals {database_nat_gateways=[forstatsinmodule.subnets.named_private_subnets_stats_map["database"]:stats.nat_gateway_idifstats.nat_gateway_id!=""  ]}# Use in network firewall route configurationresource"aws_networkfirewall_firewall_policy""example" {# ... configuration that needs NAT Gateway IDs}

Multi-account with consistent AZs:

# Use AZ IDs for consistency across accountsavailability_zone_ids=["use1-az1","use1-az2","use1-az4"]# These map to the same physical locations across all accounts

Tip

👽 Use Atmos with Terraform

Cloud Posse usesatmos to easily orchestrate multiple environments using Terraform.
Works withGithub Actions,Atlantis, orSpacelift.

Watch demo of using Atmos with Terraform

Example of runningatmos to manage infrastructure from ourQuick Start tutorial.

module"subnets" {source="cloudposse/dynamic-subnets/aws"# Cloud Posse recommends pinning every module to a specific version# version = "x.x.x"namespace="eg"stage="prod"name="app"vpc_id="vpc-XXXXXXXX"igw_id=["igw-XXXXXXXX"]ipv4_cidr_block=["10.0.0.0/16"]availability_zones=["us-east-1a","us-east-1b"]}

Create only private subnets, route to transit gateway:

module"private_tgw_subnets" {source="cloudposse/dynamic-subnets/aws"# Cloud Posse recommends pinning every module to a specific version# version = "x.x.x"namespace="eg"stage="prod"name="app"vpc_id="vpc-XXXXXXXX"igw_id=["igw-XXXXXXXX"]ipv4_cidr_block=["10.0.0.0/16"]availability_zones=["us-east-1a","us-east-1b"]nat_gateway_enabled=falsepublic_subnets_enabled=false}resource"aws_route""private" {count=length(module.private_tgw_subnets.private_route_table_ids)route_table_id=module.private_tgw_subnets.private_route_table_ids[count.index]destination_cidr_block="0.0.0.0/0"transit_gateway_id="tgw-XXXXXXXXX"}

Seeexamples for working examples. In particular, seeexamples/naclsfor an example of how to create custom Network Access Control Lists (NACLs) outside ofbut in conjunction with this module.

{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}

list(object({
    private = list(string)
    public  = list(string)
  }))

list(object({
    private = list(string)
    public  = list(string)
  }))

[
  "default"
]

[
  0
]

[
  "common"
]

terraform-aws-dynamic-subnets creates a set of subnets based on various CIDR inputs andthe maximum possible number of subnets, which ismax_subnet_count when specified orthe number of Availability Zones in the region whenmax_subnet_count is left atits default value of zero.

You can explicitly provide CIDRs for subnets viaipv4_cidrs andipv6_cidrs inputs if you want,but the usual use case is to provide a single CIDR which this module will subdivide into a setof CIDRs as follows:

1. Get number of available AZ in the region:

existing_az_count = length(data.aws_availability_zones.available.names)

2. Determine how many sets of subnets are being created. (Usually it is2:public andprivate):subnet_type_count.
3. Multiply the results of (1) and (2) to determine how many CIDRs to reserve:

cidr_count = existing_az_count * subnet_type_count

4. Calculate the number of bits needed to enumerate all the CIDRs:

subnet_bits = ceil(log(cidr_count, 2))

5. Reserve CIDRs for private subnets usingcidrsubnet:

private_subnet_cidrs = [ for netnumber in range(0, existing_az_count): cidrsubnet(cidr_block, subnet_bits, netnumber) ]

6. Reserve CIDRs for public subnets in the second half of the CIDR block:

public_subnet_cidrs = [ for netnumber in range(existing_az_count, existing_az_count * 2): cidrsubnet(cidr_block, subnet_bits, netnumber) ]

Note that this means that, for example, in a region with 4 availability zones, if you specify only 3 availability zonesinvar.availability_zones, this module will still reserve CIDRs for the 4th zone. This is so that if you laterwant to expand into that zone, the existing subnet CIDR assignments will not be disturbed. If you do not wantto reserve these CIDRs, setmax_subnet_count to the number of zones you are actually using.

Check out these related projects.

• terraform-aws-vpc - Terraform Module that defines a VPC with public/private subnets across multiple AZs with Internet Gateways
• terraform-aws-vpc-peering - Terraform module to create a peering connection between two VPCs
• terraform-aws-kops-vpc-peering - Terraform module to create a peering connection between a backing services VPC and a VPC created by Kops
• terraform-aws-named-subnets - Terraform module for named subnets provisioning.

This project is under active development, and we encourage contributions from our community.

Many thanks to our outstanding contributors:

For 🐛 bug reports & feature requests, please use theissue tracker.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

1. Review ourCode of Conduct andContributor Guidelines.
2. Fork the repo on GitHub
3. Clone the project to your own machine
4. Commit changes to your own branch
5. Push your work back up to your fork
6. Submit aPull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

We useAtmos to streamline how Terraform tests are run. It centralizes configuration and wraps common test workflows with easy-to-use commands.

All tests are located in thetest/ folder.

Under the hood, tests are powered by Terratest together with our internalTest Helpers library, providing robust infrastructure validation.

Setup dependencies:

• Install Atmos (installation guide)
• Install Go1.24+ or newer
• Install Terraform or OpenTofu

To run tests:

• Run all tests:

  atmostest run

• Clean up test artifacts:

  atmostest clean

• Explore additional test options:

  atmostest --help

The configuration for test commands is centrally managed. To review what's being imported, see theatmos.yaml file.

Learn more about ourautomated testing in our documentation or implementingcustom commands with atmos.

Join ourOpen Source Community on Slack. It'sFREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totallysweet infrastructure.

Sign up forour newsletter and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know.Dropped straight into your Inbox every week — and usually a 5-minute read.

Join us every Wednesday via Zoom for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus alive Q&A that you can’t find anywhere else.It'sFREE for everyone!

Licensed to the Apache Software Foundation (ASF) under oneor more contributor license agreements.  See the NOTICE filedistributed with this work for additional informationregarding copyright ownership.  The ASF licenses this fileto you under the Apache License, Version 2.0 (the"License"); you may not use this file except in compliancewith the License.  You may obtain a copy of the License at  https://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing,software distributed under the License is distributed on an"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANYKIND, either express or implied.  See the License for thespecific language governing permissions and limitationsunder the License.

All other trademarks referenced herein are the property of their respective owners.

Copyright © 2017-2025Cloud Posse, LLC